My zeroshell box in a housing complex has started to serve client requests very slowly, painfully slow in fact. Browsing is as fast as a 56k modem. My solution was to lower zeroshell's network load and put in another server for traffic and let zeroshell handle the radius side of things.

I've now got a box running pfsense and I'm using its captive portal to authenticate against zeroshell's radius server. All is working fine, pfsense will handle network traffic and send the accounting updates to zeroshell. This seems to be working well and the speeds are back to normal.

The problem:
when a user puts their username and password into the pfsense captive portal the authentication request is sent to zeroshell. Zeroshell is not denying authentication on accounts where their credit has been used up. Users are running into the negative and still being able to authenticate on their prepaid accounts even though they are in the negative. Zeroshell just keeps adding to the negative.

Solution:
Is there a way to have zeroshell tell pfsense to deny access?

Should I make both machines zeroshell and use one as radius and the other for the traffic? How would I do that? would I sit with the same authentication situation?